freeipa.git/install/tools/man, branch my-master FreeIPA patches Enforce host existence only where needed in ipa-replica-manage 2013-05-02T14:53:15+00:00 Tomas Babej tbabej@redhat.com 2013-04-09T11:45:34+00:00 6839483d2911d70bfcc49f8f05f0f9f1860cedb4 In ipa-replica-manage commands, we enforce that hostnames we work with are resolvable. However, this caused errors while deleting or disconnecting a ipa / winsync replica, if that replica was down and authoritative server for itself. Also adds an --no-lookup flag to disable host existence checks. https://fedorahosted.org/freeipa/ticket/3524 
In ipa-replica-manage commands, we enforce that hostnames we work
with are resolvable. However, this caused errors while deleting
or disconnecting a ipa / winsync replica, if that replica was down
and authoritative server for itself.

Also adds an --no-lookup flag to disable host existence checks.

https://fedorahosted.org/freeipa/ticket/3524
Remove obsolete self-sign references from man pages, docstrings, comments 2013-04-15T20:56:06+00:00 Petr Viktorin pviktori@redhat.com 2013-03-27T12:48:36+00:00 006ab23c6d404fd3ee1a33ac339c77789254860e Part of the work for https://fedorahosted.org/freeipa/ticket/3494 
Part of the work for https://fedorahosted.org/freeipa/ticket/3494
ipa-server-install: correct help text for --external_{cert,ca}_file 2013-04-15T11:32:58+00:00 Petr Viktorin pviktori@redhat.com 2013-03-20T13:44:22+00:00 b36380fff80d5a6755240bd65b6ef432ef2741e6 The options take PEM certificates, not PKCS#10. This corrects both the --help output and the man page. https://fedorahosted.org/freeipa/ticket/3523 
The options take PEM certificates, not PKCS#10.
This corrects both the --help output and the man page.

https://fedorahosted.org/freeipa/ticket/3523
Full system backup and restore 2013-04-12T13:59:17+00:00 Rob Crittenden rcritten@redhat.com 2013-03-13T13:36:41+00:00 c8694cb19f2b0bd20a0b3fc9df7aacec3b23a928 This will allow one to backup and restore the IPA files and data. This does not cover individual entry restoration. http://freeipa.org/page/V3/Backup_and_Restore https://fedorahosted.org/freeipa/ticket/3128 
This will allow one to backup and restore the IPA files and data. This
does not cover individual entry restoration.

http://freeipa.org/page/V3/Backup_and_Restore

https://fedorahosted.org/freeipa/ticket/3128
ipa-server-install: Remove the --selfsign option 2013-04-02T13:28:50+00:00 Petr Viktorin pviktori@redhat.com 2013-03-08T14:13:19+00:00 34aa4901412a1a73c8594b33e367c81af0305b97 Instead, certificates in pkcs12 files can be given to set up IPA with no CA at all. Use a flag, setup_ca, to signal if a CA is being installed. Design: http://freeipa.org/page/V3/Drop_selfsign Part of the work for: https://fedorahosted.org/freeipa/ticket/3494 
Instead, certificates in pkcs12 files can be given to set up
IPA with no CA at all.
Use a flag, setup_ca, to signal if a CA is being installed.

Design: http://freeipa.org/page/V3/Drop_selfsign
Part of the work for: https://fedorahosted.org/freeipa/ticket/3494
Add mkhomedir option to ipa-server-install and ipa-replica-install 2013-03-28T07:45:37+00:00 Ana Krivokapic akrivoka@redhat.com 2013-03-27T12:48:01+00:00 dae163aa37a7ea07399a964a143f378c5cb6bffa Add the option to create home directories for users on their first login to ipa-server-install and ipa-replica-install. https://fedorahosted.org/freeipa/ticket/3515 
Add the option to create home directories for users on their
first login to ipa-server-install and ipa-replica-install.

https://fedorahosted.org/freeipa/ticket/3515
Extend ipa-replica-manage to be able to manage DNA ranges. 2013-03-13T14:32:36+00:00 Rob Crittenden rcritten@redhat.com 2013-03-01T20:02:14+00:00 9005b9bc8aac7c1381aadb7d17107ebbebae005d Attempt to automatically save DNA ranges when a master is removed. This is done by trying to find a master that does not yet define a DNA on-deck range. If one can be found then the range on the deleted master is added. If one cannot be found then it is reported as an error. Some validation of the ranges are done to ensure that they do overlap an IPA local range and do not overlap existing DNA ranges configured on other masters. http://freeipa.org/page/V3/Recover_DNA_Ranges https://fedorahosted.org/freeipa/ticket/3321 
Attempt to automatically save DNA ranges when a master is removed.
This is done by trying to find a master that does not yet define
a DNA on-deck range. If one can be found then the range on the deleted
master is added.

If one cannot be found then it is reported as an error.

Some validation of the ranges are done to ensure that they do overlap
an IPA local range and do not overlap existing DNA ranges configured
on other masters.

http://freeipa.org/page/V3/Recover_DNA_Ranges

https://fedorahosted.org/freeipa/ticket/3321
Fix schema replication from old masters 2012-11-23T11:19:19+00:00 Petr Viktorin pviktori@redhat.com 2012-10-24T08:37:16+00:00 1d3ddeff54d91111d7f4f3042a22af76275ef361 The new merged database will replicate with both the IPA and CA trees, so all DS instances (IPA and CA on the existing master, and the merged one on the replica) need to have the same schema. Dogtag does all its schema modifications online. Those are replicated normally. The basic IPA schema, however, is delivered in ldif files, which are not replicated. The files are not present on old CA DS instances. Any schema update that references objects in these files will fail. The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is replicated as a blob. If we updated the old master's CA schema dynamically during replica install, it would conflict with updates done during the installation: the one with the lower CSN would get lost. Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'. Turning it off tells Dogtag to create its schema in the clone, where the IPA modifications are taking place, so that it is not overwritten by the IPA schema on replication. The patch solves the problems by: - In __spawn_instance, turning off the pki_clone_replicate_schema flag. - Providing a script to copy the IPA schema files to the CA DS instance. The script needs to be copied to old masters and run there. - At replica CA install, checking if the schema is updated, and failing if not. The --skip-schema-check option is added to ipa-{replica,ca}-install to override the check. All pre-3.1 CA servers in a domain will have to have the script run on them to avoid schema replication errors. https://fedorahosted.org/freeipa/ticket/3213 
The new merged database will replicate with both the IPA and CA trees, so all
DS instances (IPA and CA on the existing master, and the merged one on the
replica) need to have the same schema.

Dogtag does all its schema modifications online. Those are replicated normally.
The basic IPA schema, however, is delivered in ldif files, which are not
replicated. The files are not present on old CA DS instances. Any schema
update that references objects in these files will fail.

The whole 99user.ldif (i.e. changes introduced dynamically over LDAP) is
replicated as a blob. If we updated the old master's CA schema dynamically
during replica install, it would conflict with updates done during the
installation: the one with the lower CSN would get lost.
Dogtag's spawn script recently grew a new flag, 'pki_clone_replicate_schema'.
Turning it off tells Dogtag to create its schema in the clone, where the IPA
modifications are taking place, so that it is not overwritten by the IPA schema
on replication.

The patch solves the problems by:
- In __spawn_instance, turning off the pki_clone_replicate_schema flag.
- Providing a script to copy the IPA schema files to the CA DS instance.
  The script needs to be copied to old masters and run there.
- At replica CA install, checking if the schema is updated, and failing if not.
  The --skip-schema-check option is added to ipa-{replica,ca}-install to
  override the check.

All pre-3.1 CA servers in a domain will have to have the script run on them to
avoid schema replication errors.

https://fedorahosted.org/freeipa/ticket/3213
Enable transactions by default, make password and modrdn TXN-aware 2012-11-21T13:55:12+00:00 Rob Crittenden rcritten@redhat.com 2012-11-16T02:38:26+00:00 f1f1b4e7f2e9c1838ad7ec76002b78ca0c2a3c46 The password and modrdn plugins needed to be made transaction aware for the pre and post operations. Remove the reverse member hoop jumping. Just fetch the entry once and all the memberof data is there (plus objectclass). Fix some unit tests that are failing because we actually get the data now due to transactions. Add small bit of code in user plugin to retrieve the user again ala wait_for_attr but in the case of transactions we need do it only once. Deprecate wait_for_attr code. Add a memberof fixup task for roles. https://fedorahosted.org/freeipa/ticket/1263 https://fedorahosted.org/freeipa/ticket/1891 https://fedorahosted.org/freeipa/ticket/2056 https://fedorahosted.org/freeipa/ticket/3043 https://fedorahosted.org/freeipa/ticket/3191 https://fedorahosted.org/freeipa/ticket/3046 
The password and modrdn plugins needed to be made transaction aware
for the pre and post operations.

Remove the reverse member hoop jumping. Just fetch the entry once
and all the memberof data is there (plus objectclass).

Fix some unit tests that are failing because we actually get the data
now due to transactions.

Add small bit of code in user plugin to retrieve the user again
ala wait_for_attr but in the case of transactions we need do it only
once.

Deprecate wait_for_attr code.

Add a memberof fixup task for roles.

https://fedorahosted.org/freeipa/ticket/1263
https://fedorahosted.org/freeipa/ticket/1891
https://fedorahosted.org/freeipa/ticket/2056
https://fedorahosted.org/freeipa/ticket/3043
https://fedorahosted.org/freeipa/ticket/3191
https://fedorahosted.org/freeipa/ticket/3046
ipa-adtrust-install: allow to reset te NetBIOS domain name 2012-11-08T07:18:14+00:00 Sumit Bose sbose@redhat.com 2012-10-29T20:43:56+00:00 b204881ab989aa8287897711358189b687fb3996 Fixes https://fedorahosted.org/freeipa/ticket/3192 
Fixes https://fedorahosted.org/freeipa/ticket/3192